The Information Commissioner’s Office has issued a detailed code of practice on data sharing, including guidance on the correct steps to take if you are considering acquiring a database of clients and/or prospects.
This can arise in a number of contexts, such as the purchase of certain assets of a business or being offered a database by a data broker or marketing agency. It does not matter whether the data sharing is for money or some other consideration or whether it is done for profit or not.
As the recipient of the database, it is your responsibility to satisfy yourself as to the integrity of the data included in it and for complying with the legal requirements. It may be tempting to rely on a warranty or indemnity from the supplier, but you will be primarily liable in the event of a complaint or claim (and the supplier may then have disappeared or be insolvent, leaving you without any effective remedy against the supplier).
Before acquiring the database, it will be important for you to make appropriate enquiries and checks, including:
• Confirming the source of the data;
• Establishing the lawful basis on which it was obtained (and checking that any conditions attached to that basis were complied with);
• Verifying what individual clients and prospects were told when they handed over their personal data;
• Confirming how and when the data was initially collected;
• If consent was relied on, checking the records of such consents;
• Checking the privacy information given at the time the data was collected;
• If the personal data was obtained from a source other than the data subject, checking what privacy information was given to the data subjects;
• Checking that you only receive the data you need and not any which is excessive or irrelevant;
• Checking that the data is accurate and up to date.
You should also have a written contract with the party sharing the data with you, with a reasonable limit of liability (having previously checked their creditworthiness).
As regards the data subjects included in the list shared with you, you must give privacy information to them within a reasonable period of receiving their data and, at the latest, within a month. This must be done before you start processing the personal data for your own purposes. (There are certain exceptions to this rule, for example you do not have to provide an individual with data they already have).
It is worth remembering that the data sharing code does not affect direct marketing, so you must still comply with the separate rules for such marketing when you use an acquired database.
Please contact the author for further information or guidance.